Logo of Trend Micro
Use the Conformity Knowledge Base AI to help improve your Cloud Posture

Restrict External Traffic

Trend Cloud One™ – Conformity is a continuous assurance tool that provides peace of mind for your cloud infrastructure, delivering over 1000 automated best practice checks.

Risk Level: Medium (should be achieved)

Ensure that Amazon App Mesh allows egress only from virtual nodes to other defined resources available within the service mesh (and any traffic to *.amazonaws.com for AWS API calls) in order to follow security best practices and meet compliance requirements.

Security

Amazon App Mesh gives you controls to configure how traffic flows between your microservices. You can choose whether or not to allow App Mesh services to communicate with outside world. If you choose to allow external traffic, any traffic sent to external services is forwarded through the proxies as TCP traffic. If you choose to deny external traffic, the proxies will not forward traffic to external services that are not defined in the mesh. To adhere to cloud security best practices and minimize the security risks, the traffic to the external services should be denied.

Audit

To determine if your App Mesh service meshes are configured to allow external egress traffic, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to examine, available in the Mesh name column.

05 Choose the Details tab and check the Egress filter configuration attribute value. If the Egress filter attribute value is set to Allow external traffic, the selected Amazon App Mesh service mesh allows all external egress traffic to be forwarded through the proxy untouched.

06 Repeat steps no. 4 and 5 to verify the egress filter status for other App Mesh service meshes created within the current AWS cloud region.

07 Change the AWS region from the navigation bar and repeat the audit process for other regions.

Using AWS CLI

01 Run list-meshes command (OSX/Linux/UNIX) with custom query filters to list the names of all the Amazon App Mesh service meshes deployed in the selected AWS cloud region: created in the selected AWS cloud region: 

aws appmesh list-meshes
  --region us-east-1
  --query 'meshes[*].meshName'

02 The command output should return an array with the requested mesh name(s): 

[
  "cc-production-app-mesh",
  "cc-docker-web-app-mesh",
  "cc-development-app-mesh"
]

03 Run describe-mesh command (OSX/Linux/UNIX) using the name of the App Mesh service mesh that you want to examine as the identifier parameter and custom query filters to describe the type of the egress filter configured for the selected service mesh: 

aws appmesh describe-mesh
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --query 'mesh.spec.egressFilter.type'

04 The command output should return the requested filter type (either "ALLOW_ALL" which allows egress to any endpoint inside or outside of the service mesh or "DROP_ALL" which allows egress only from virtual nodes to other defined resources in the service mesh): 

"ALLOW_ALL"

If the describe-mesh command output returns "ALLOW_ALL", the selected Amazon App Mesh service mesh allows all external egress traffic to be forwarded through the proxy untouched.

05 Repeat steps no. 3 and 4 to check the egress filter type for other App Mesh service meshes available in the selected AWS cloud region.

06 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 5 to perform the audit process for other regions.

Remediation / Resolution

To disable external egress traffic for your Amazon App Mesh service meshes, perform the following operations:

Using AWS Console

01 Sign in to the AWS Management Console.

02 Navigate to Amazon App Mesh console at https://console.aws.amazon.com/appmesh/.

03 In the navigation panel, under AWS App Mesh, choose Meshes.

04 Click on the name of the service mesh that you want to reconfigure, available in the Mesh name column.

05 Click on the Edit button from the console top menu to modify the selected service mesh configuration.

06 In the Mesh configuration section, choose Deny external traffic under Egress filter, to disable external egress traffic for the selected App Mesh service mesh. Choose Save to apply the configuration changes. The service mesh allows now egress traffic only from virtual nodes to other defined resources in the service mesh (and any traffic to *.amazonaws.com for AWS API calls).

07 Repeat steps no. 4 – 6 to disable external traffic for other App Mesh service meshes created within the current AWS cloud region.

08 Change the AWS region from the navigation bar and repeat the remediation process for other regions.

Using AWS CLI

01 Run update-mesh command (OSX/Linux/UNIX) using the name of the Amazon App Mesh service mesh that you want to reconfigure as the identifier parameter, to disable the external egress traffic for the selected service mesh: 

aws appmesh update-mesh
  --region us-east-1
  --mesh-name cc-production-app-mesh
  --spec egressFilter={type=DROP_ALL}

02 The command output should return the metadata available for the reconfigured service mesh: 

{
  "mesh": {
    "meshName": "cc-production-app-mesh",
    "metadata": {
      "arn": "arn:aws:appmesh:us-east-1:123456789012:mesh/cc-production-app-mesh",
      "createdAt": "2021-01-28T10:00:00.000000+00:00",
      "lastUpdatedAt": "2021-01-28T15:00:00.000000+00:00",
      "meshOwner": "123456789012",
      "resourceOwner": "123456789012",
      "uid": "abcdabcd-1234-abcd-1234-abcd1234abcd",
      "version": 4
    },
    "spec": {
      "egressFilter": {
        "type": "DROP_ALL"
      }
    },
    "status": {
      "status": "ACTIVE"
    }
  }
}

03 Repeat steps no. 1 and 2 to disable external traffic for other App Mesh service meshes available in the selected AWS cloud region.

04 Change the AWS region by updating the --region command parameter value and repeat steps no. 1 – 3 to perform the remediation process for other regions.

References

Publication date Feb 6, 2021

Related AppMesh rules